b'      Department of Homeland Security\n\n\n\n\n                Technical Security Evaluation\n            of DHS Components at O\xe2\x80\x99Hare Airport\n                       (Redacted)\n\n\n\n\nOIG-12-45                                         March 2012\n\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Depar tment of Homeland Secur ity\n                                                             Washington, DC 20528\n\n\n\n\n                                      March 6, 2012\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the information security controls\nimplemented by U.S. Customs and Border Protection, U.S. Immigration and Customs\nEnforcement, and the Transportation Security Administration based on guidance\nprovided by the Office of the Chief Information Officer. It is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observations, and a\nreview of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary .............................................................................................................1\n\nBackground ..........................................................................................................................2\n\nResults of Review ................................................................................................................7\n\n     CBP Did Not Comply Fully With DHS Sensitive System Policies...............................7\n     Recommendations ........................................................................................................14\n     Management Comments and OIG Analysis ................................................................14\n\n     ICE Did Not Comply Fully With DHS Sensitive System Policies..............................18\n     Recommendations ........................................................................................................22\n     Management Comments and OIG Analysis ................................................................22\n\n     TSA Did Not Comply Fully With DHS Sensitive System Policies.............................25\n     Recommendations ........................................................................................................28\n     Management Comments and OIG Analysis ................................................................29\n\nAppendices\n\n\n     Appendix A:           Purpose, Scope, and Methodology.......................................................31 \n\n     Appendix B:           Management Comments to the Draft Report .......................................32 \n\n     Appendix C:           Major Contributors to this Report ........................................................42 \n\n     Appendix D:           Report Distribution ..............................................................................43 \n\n\nAbbreviations\n     BIA                                    Business Impact Assessment\n     CBP                                    U.S. Customs and Border Protection\n     CIO                                    Chief Information Officer\n     CISO                                   Chief Information Security Officer\n     COOP                                   Continuity of Operations Plan\n     DHS                                    Department of Homeland Security\n     DHS Directive 4300A                    DHS Sensitive Systems Policy Directive 4300A\n     DHS 4300A Handbook                     DHS 4300A Sensitive Systems Handbook\n     DVD                                    Digital Video Disc\n     FIPS Federal                                    Information Processing Standards Publication\n     GAO                                    U.S. Government Accountability Office\n     GSS                                    general support system\n     ICE                                    U.S. Immigration and Customs Enforcement\n     IT                                     information technology\n     LAN                                    local area network\n     MEF                                    mission essential functions\n     NII Systems                            Non-Intrusive Inspection Systems\n     NIST                                   National Institute of Standards and Technology\n     OIG                                    Office of Inspector General\n\n\n\n\n\x0cOneNet   DHS One Network\nORD      Chicago O\'Hare International Airport\nPALS     Portable Automated Lookup System\nPIA      Privacy Impact Assessment\nPOE      port of entry\nPTA      Privacy Threshold Analysis\nRAC      Resident Agent in Charge\nSAC      Special Agent in Charge\nSP       Special Publication\nSTIP     Security Technology Integrated Program\nTSA      Transportation Security Administration\nTSANet   Transportation Security Administration Network\nTSE      transportation security equipment\nWAN      wide area network\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                      As part of our Technical Security Evaluation Program, we\n                      evaluated technical and information security policies and\n                      procedures of Department of Homeland Security components at\n                      Chicago O\'Hare International Airport. U.S. Customs and Border\n                      Protection, U.S. Immigration and Customs Enforcement, and the\n                      Transportation Security Administration operate information\n                      technology systems that support homeland security operations at\n                      this airport.\n\n                      Our evaluation focused on how these components had\n                      implemented computer security operational, technical, and\n                      management controls at the airport and nearby locations. We\n                      performed onsite inspections of the areas where these assets were\n                      located, interviewed departmental staff, and conducted technical\n                      tests of internal controls. We also reviewed applicable policies,\n                      procedures, and other relevant documentation.\n\n                      The information technology security controls implemented at these\n                      sites have deficiencies that, if exploited, could result in the loss of\n                      confidentiality, integrity, and availability of the components\'\n                      information technology systems. Specifically, these components\n                      need to improve their physical security and environmental controls\n                      for telecommunications equipment and servers. These components\n                      also need to improve their management controls by upgrading\n                      system information to document security controls more fully.\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                              Page 1\n\n\x0cBackground\n                          We designed our Technical Security Evaluation Program to\n                          provide senior Department of Homeland Security (DHS) officials\n                          with timely information on whether they had properly\n                          implemented DHS information technology (IT) security policies at\n                          critical sites. Our program is based on DHS Sensitive Systems\n                          Policy Directive 4300A, version 8.0 (DHS Directive 4300A),\n                          which applies to all DHS components. It provides direction to\n                          managers and senior executives regarding the management and\n                          protection of sensitive systems. DHS Directive 4300A also\n                          outlines policies relating to the operational, technical, and\n                          management controls that are necessary for ensuring confidentiality,\n                          integrity, availability, authenticity, and nonrepudiation within the\n                          DHS IT infrastructure and operations. A companion document,\n                          the DHS 4300A Sensitive Systems Handbook, version 7.2.1.1 (DHS\n                          4300A Handbook), provides detailed guidance on the\n                          implementation of these policies. For example, according to the\n                          DHS 4300A Handbook,\n\n                                   Components shall categorize systems in accordance with\n                                   [Federal Information Processing Standards Publication]\n                                   FIPS 199, Standards for Security Categorization of Federal\n                                   Information and Information Systems and shall apply the\n                                   appropriate NIST SP 800-53 controls.1\n\n                          DHS IT security policies are organized under operational, technical,\n                          and management controls. According to DHS Directive 4300A,\n                          these controls are defined as follows:\n\n                          \xe2\x80\xa2   Operational Controls - Focus on mechanisms primarily\n                              implemented and executed by people. These controls are\n                              designed to improve the security of a particular system or\n                              group of systems and often rely on management and technical\n                              controls.\n\n                          \xe2\x80\xa2   Technical Controls - Focus on security controls executed by\n                              information systems. These controls provide automated\n                              protection from unauthorized access or misuse. They facilitate\n                              detection of security violations and support security\n                              requirements for applications and data.\n\n\n\n1\n National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended\nSecurity Controls for Federal Information Systems.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                  Page 2\n\n\x0c                           \xe2\x80\xa2\t Management Controls - Focus on managing both the system\n                              information security controls and system risk. These controls\n                              consist of risk mitigation techniques and concerns normally\n                              addressed by management.\n\n                           Our evaluation focused on U.S. Customs and Border Protection\n                           (CBP), U.S. Immigration and Customs Enforcement (ICE), and the\n                           Transportation Security Administration (TSA), which have\n                           activities at Chicago O\'Hare International Airport (ORD) and rely\n                           on a range of IT assets to support their respective missions. As a\n                           Category X airport, ORD is one of the airports with the largest\n                           number of enplanements, processing approximately 67 million\n                           passengers in 2010.2\n\n                           At ORD, 255 CBP Officers and Agricultural Specialists staff 68\n                           primary passenger lanes, review flight data for terrorist-related\n                           activities, and process fines and civil penalties. Additionally, 200\n                           CBP staff at nearby locations use IT assets to perform cargo\n                           manifest review and targeting, outbound passenger review and\n                           targeting, and inbound mail processing.\n\n                           The following CBP locations were reviewed:\n\n                               \xe2\x80\xa2\t   ORD Terminal 5\n                               \xe2\x80\xa2\t   ORD International Mail Branch\n                               \xe2\x80\xa2\t   Port Office, Rosemont, IL\n                               \xe2\x80\xa2\t   Management Inspection Division and the Office of \n\n                                    Professional Responsibility, Rosemont, IL\n\n\n                           CBP staff at these locations use the following systems:\n\n                               \xe2\x80\xa2\t The Central Field Local Area Network (LAN). This\n                                  system provides the general support network infrastructure\n                                  for the CBP end-users\' electronic communication for the\n                                  performance of their daily official duties.\n\n                               \xe2\x80\xa2\t The DHS One Network (OneNet). The DHS OneNet is a\n                                  general support system (GSS) providing all wide area\n                                  network communications for the servicewide DHS\n                                  sensitive but unclassified environment.\n\n\n\n2\n There are five categories of airports-X, I, II, III, and IV. Category X airports have the largest number of\nenplanements and category IV airports have the smallest number.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                   Page 3\n\n\x0c                              \xe2\x80\xa2\t Global Entry. The Global Entry program benefits\n                                 preapproved, low-risk air travelers by allowing them to\n                                 avoid passport control lines through the use of the\n                                 automated self-service Global Entry kiosk to clear customs,\n                                 immigration, and agriculture. The Global Entry program\n                                 also benefits CBP and participating foreign governments by\n                                 allowing them to focus their efforts on unknown and\n                                 potentially higher risk air travelers, thereby facilitating the\n                                 movement of people more efficiently and effectively, while\n                                 serving as a force multiplier for CBP.\n\n                              \xe2\x80\xa2\t Non-Intrusive Inspection (NII) Systems. NII Systems\n                                 enable CBP to perform more effective and efficient\n                                 nonintrusive inspections and screenings of cars, trucks,\n                                 railcars, sea containers, personal luggage, packages,\n                                 parcels, and flat mail. NII Systems are designed to detect\n                                 illicit goods, such as drugs, money, guns, ammunition,\n                                 agricultural items, and explosives; and chemical,\n                                 biological, and nuclear agents.\n\n                              \xe2\x80\xa2\t TECS.3 TECS supports enforcement and inspection\n                                 operations for several components of DHS and is a vital\n                                 tool for the law enforcement and intelligence communities\n                                 at the local, state, tribal, and federal government levels.\n                                 TECS comprises several subsystems that include\n                                 enforcement, inspection, and intelligence records relevant\n                                 to the antiterrorist and law enforcement mission of CBP\n                                 and the other federal agencies it supports.\n\n                          ICE\'s office of the Resident Agent in Charge (RAC) identifies and\n                          investigates security issues with a foreign nexus at ORD. The\n                          RAC\'s areas of responsibility at ORD include the following:\n\n                              \xe2\x80\xa2\t Investigations of internal criminal conspiracies involving\n                                 employees of companies doing business at ORD\n                              \xe2\x80\xa2\t Identification, interdiction, and apprehension of currency\n                                 smugglers from ORD\n                              \xe2\x80\xa2\t Enforcement activities on internal drug-smuggling carriers\n                                 arriving at ORD\n                              \xe2\x80\xa2\t Enforcement actions that center on the interception of\n                                 parcels containing illegal narcotics and initiation of\n                                 controlled deliveries on these parcels if appropriate\n\n3\n  Prior to the government realignment, TECS was owned by the U.S. Department of Treasury, U.S.\nCustoms Service, and operated under the name Treasury Enforcement Communication System. In 2008,\nthe application was renamed "TECS" to eliminate the association with the U.S. Department of Treasury.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                  Page 4\n\n\x0c                    \xe2\x80\xa2\t Investigations of illegal workers having unescorted access\n                       to secure areas of the airport\n                    \xe2\x80\xa2\t Investigations aimed at protecting critical infrastructure\n                       industries that are vulnerable to sabotage, attack, or\n                       exploitation\n\n                The following ICE locations were reviewed:\n\n                    \xe2\x80\xa2\t Resident Agent in Charge, Des Plaines, IL\n                    \xe2\x80\xa2\t Management Inspection Division and the Office of \n\n                       Professional Responsibility, Rosemont, IL\n\n\n                ICE staff use the Special Agent in Charge (SAC) Midwest GSS.\n                The SAC Midwest GSS supports the ICE Office of Investigations\n                mission by providing access to law enforcement data processing\n                resources available through DHS OneNet. Interconnectivity with\n                DHS OneNet further enhances the mission support capabilities of\n                the SAC GSS by allowing users remote access through secure\n                virtual private networking and access to the public Internet. Local\n                data processing resources directly supported by the SAC Midwest\n                GSS are file sharing and print services.\n\n                TSA\'s activities include screening passengers and baggage on all\n                departing flights at ORD. To support these activities, TSA has\n                operations in each of the terminals at ORD, as well as at a nearby\n                office building.\n\n                The following TSA locations were reviewed:\n\n                    \xe2\x80\xa2\t ORD Terminals 1, 2, 3, and 5\n                    \xe2\x80\xa2\t Office of the Federal Security Director, Rosemont, IL\n\n                TSA staff at these locations use the following systems:\n\n                    \xe2\x80\xa2\t End User Computing. This system provides TSA\n                       employees and contractors with desktops, laptops, local\n                       printers, and other end user computing applications at the\n                       various DHS/TSA locations and sponsored sites.\n\n                    \xe2\x80\xa2\t Infrastructure Core System. This system provides core\n                       services, including file and print services, to the entire TSA\n                       user community.\n\n                    \xe2\x80\xa2\t The Security Technology Integrated Program (STIP). The\n                       STIP combines many different types of components,\n                       including transportation security equipment (TSE), servers\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                        Page S\n\n\x0c                         and storage, software/application products, and databases.\n                         A user physically accesses the TSE to perform screening or\n                         other administrative functions.\n\n                    \xe2\x80\xa2\t The Transportation Security Administration Network\n                       (TSANet). Owing to its geographically dispersed topology,\n                       the TSANet GSS is considered a wide area network (WAN).\n                       The TSANet GSS consists of the WAN backbone and LAN\n                       at each site that connects to the backbone. The TSANet\n                       GSS provides connectivity for airports and their users.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                        Page 6\n\n\x0cResults of Review\n     CBP Did Not Comply Fully With DHS Sensitive System Policies\n             CBP could strengthen operational, technical, and management controls for\n             its servers, routers, and switches operating at ORD. For example, CBP\n             could improve environmental controls and the placement of\n             telecommunications equipment. CBP also should scan\n             periodically to identify vulnerabilities. Additionally, CBP should update\n             ORD systems documentation in the areas of security categorization,\n             privacy compliance, and business impact analysis. Collectively, these\n             deficiencies could place at risk the confidentiality, integrity, and\n             availability of the data stored, transmitted, and processed by CBP at ORD.\n\n                      Operational Controls\n\n                      Onsite implementation of operational controls that did not conform\n                      fully to DHS policies included inadequate temperature and\n                      humidity controls and the inappropriate placement of IT\n                      equipment. Additionally, onsite IT assets may be insufficient to\n                      ensure continuity of CBP operations at ORD.\n\n                      Environmental Controls\n\n                      In three of the five CBP server rooms at ORD, the temperature was\n                      higher and the humidity was lower than recommended by the DHS\n                      4300A Handbook. In addition, several of the server rooms and\n                      wire closets did not contain temperature or humidity sensors.\n\n                      According to the DHS 4300A Handbook,\n\n                               The following should be considered when developing a\n                               strategy for temperature and humidity control:\n\n                               \xe2\x80\xa2\t Temperatures in computer storage areas should be held\n                                  between 60 and 70 degrees Fahrenheit. Most systems\n                                  will continue to function when temperatures go beyond\n                                  this range, but the associated risk to data is increased.\n                                  (Check individual system documentation for the proper\n                                  levels.)\n\n                               \xe2\x80\xa2\t Humidity should be at a level between 35 percent and\n                                  65 percent. Most systems will continue to function\n                                  when humidity goes beyond this range, but the\n\n\n\n      Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                              Page 7\n\n\x0c                              associated risk to data is increased. (Check individual\n                              system documentation for the proper levels.)\n\n                CBP needs to better monitor and control the humidity and\n                temperature in its server rooms at ORD. Low humidity can result\n                in static, and high temperatures can damage sensitive elements of\n                computer systems.\n\n                Inappropriate Placement of Telecommunications Equipment\n\n                Telecommunications equipment, including racks, cables, and\n                network switches, connects IT resources to a LAN. In two\n                locations at ORD, CBP has placed telecommunications equipment\n                in rooms containing water heaters (see figure 1). If these water\n                heaters malfunction, there is a risk that CBP\'s telecommunications\n                equipment could suffer water damage, preventing users from\n                accessing the IT resources they need to perform their mission.\n\n\n\n\n                    Figure 1: Water heater in room with CBP telecommunications rack.\n\n                At another location at ORD, CBP has placed telecommunications\n                equipment in a supply room/office. At this location, there are no\n                barriers protecting the telecommunications equipment. There is a\n                risk that CBP telecommunications equipment could be damaged\n                when supplies are moved into or out of this room.\n\n                According to DHS Directive 4300A,\n\n                         Controls for deterring, detecting, restricting, and regulating\n                         access to sensitive areas shall be in place and shall be\n                         sufficient to safeguard against possible loss, theft,\n                         destruction, damage, hazardous conditions, fire, malicious\n                         actions, and natural disasters.\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                        Page S\n\n\x0c                          CBP\'s computer infrastructure may deteriorate under adverse\n                          environmental conditions, preventing access to automated systems\n                          that are necessary for staff to perform their mission.\n\n                          Redundant Telecommunications Services\n\n                          In May 2008, we reported that a single point of failure contributed\n                          to a network outage at Los Angeles International Airport.4 We\n                          also recommended that CBP determine whether actions taken to\n                          reduce the potential for a network outage should also be performed\n                          at other locations. In response, CBP established the Systems\n                          Availability Project to implement corrective actions at other CBP\n                          ports of entry (POEs).\n\n                          The Systems Availability Project included providing redundant\n                          communications, power, and computing capabilities at field\n                          locations and central data center facilities. The Systems\n                          Availability Project established redundant telecommunications\n                          services for a prioritized list of\n\n\n\n\n                          According to DHS 4300A Handbook Attachment M, Tailoring the\n                          NIST SP 800-53 Security Controls,\n\n                                   Risk and Infrastructure - A risk-based management\n                                   decision is made on the requirements for telecommunication\n                                   services. The availability requirements for the system will\n                                   determine the time period within which the system\n                                   connections must be available. If continuous availability is\n                                   required, redundant telecommunications services may be an\n                                   option. Once a decision is made on the requirements for\n                                   telecommunications services, agreements must be made\n                                   between the appropriate officials involved.\n\n\n\n\n4\n Lessons Learned from the August 11, 2007 Nettork Outage at Los Angeles International Airport\n(OIG-08-58), May 2008.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                  Page 9\n\n\x0c                                   Risk - NIST 800-53 allows for downgrading this security\n                                   control for availability. This is appropriate when (1) the\n                                   availability impact level is upgraded to meet the "high\n                                   water mark" process, (2) supported by an organizational\n                                   risk assessment, [and] (3) does not impact the security\n                                   relevant information at the system level.\n\n                          CBP should conduct a risk assessment to determine whether\n                          redundant telecommunications services would be appropriate for\n                          staff at these three locations.\n\n                          Business Continuity\n\n                          Airport authorities have contingency plans in place to deal with\n                          power outages, including diverting flights to reduce the burden on\n                          passengers and the airport\'s infrastructure. CBP\'s business\n                          continuity plan for dealing with power outages at ORD includes\n                          the use of 18 laptops that contain the Portable Automated Lookout\n                          System (PALS).5 However, the 18 PALS laptops may not be\n                          sufficient to process passengers through the 68 passenger\n                          processing lanes at ORD during an extended power outage. Since\n                          the PALS laptops have a battery life of only 2 hours, CBP may not\n                          be able to process all incoming passengers during a power outage\n                          before the laptops lose battery power.\n\n                          According to the DHS 4300A Handbook,\n\n                                   DHS must have the capability to ensure continuity of\n                                   essential functions under all circumstances.\n\n                          CBP staff at ORD proposed, as an interim solution, the purchase of\n                          additional long-life batteries.\n\n                          Technical Controls\n\n                          In October 2008, we reported that CBP was not regularly scanning\n\n\n\n\n5\n  PALS is a contingency system used when CBP Inspection Officers do not have connectivity to TECS.\nPALS utilizes extracts of the TECS database, which identifies individuals who should be denied entry.\n6\n  Technical Security Evaluation of DHS Activities at Los Angeles International Airport (OIG-09-01),\nOctober 2008.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                 Page 10\n\n\x0c                CBP will continue migrating users from                 through the\n                end of fiscal year 2011. CBP\'s plans to address\n                                are dependent on funding, and the schedule has not\n                yet been determined.\n\n                According to the DHS 4300A Handbook,\n\n                         Components shall manage systems to reduce vulnerabilities\n                         through vulnerability testing and management, promptly\n                         installing patches, and eliminating or disabling unnecessary\n                         services.\n\n                CBP must be able to scan its systems periodically to identify\n                vulnerabilities, and then take corrective actions to reduce these\n                vulnerabilities.\n\n                Management Controls\n\n                CBP\'s implementation of management controls for systems\n                operating at ORD did not conform fully to DHS policies.\n                Specifically, CBP could improve the documentation for these\n                systems in the areas of security categorization, privacy compliance,\n                and business impact analysis.\n\n                System Security Categorization\n\n                CBP has assessed the Central Field LAN\'s security categorization\n                as moderate for confidentiality, integrity, and availability.\n                However, CBP staff use the Central Field LAN to perform border\n                and transportation security activities. DHS guidance recommends\n                that systems that are used for border and transportation security\n                activities have a high security categorization.\n\n                For example, the DHS FIPS 199 Workbook, version 8, includes the\n                following descriptions for the border and transportation security\n                integrity impact levels:\n\n                         Unauthorized modification or destruction of information\n                         associated with ensuring security of transportation and\n                         infrastructure networks, facilities, vehicles, and personnel\n                         within the United States may seriously affect mission\n                         operations or result in the loss of human life. Unauthorized\n                         modification or destruction of information affecting\n                         antiterrorism information may adversely affect mission\n                         operations in a manner that results in unacceptable damage\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 11\n\n\x0c\x0c                          should be denied entry. Because personally identifiable\n                          information is installed on the Central Field LAN, a PIA is needed.\n\n                          According to DHS\' Privacy Impact Assessments (PIA) Official\n                          Guidance,\n\n                                   A PIA should be completed for any program, system,\n                                   technology, or rulemaking that involves personally\n                                   identifiable information. Personally identifiable\n                                   information is information in a program, system, online\n                                   collection, or technology that permits the identity of an\n                                   individual to be directly or indirectly inferred, including\n                                   any other information which is linked or linkable to that\n                                   individual regardless of whether the individual is a U.S.\n                                   citizen, lawful permanent resident, visitor to the U.S., or\n                                   employee or contractor to the Department.\n\n                          Without identifying whether systems contain personally\n                          identifiable information, CBP staff cannot be assured they are\n                          addressing all privacy compliance activities.\n\n                          Business Impact Assessments\n\n                          Although CBP has prepared a Business Impact Assessment (BIA)\n                          for the Central Field LAN, it has not prepared a BIA for the other\n                          four systems operating at ORD. According to the DHS 4300A\n                          Handbook,\n\n                                   The Business Impact Assessment (BIA) is essential in the\n                                   identification of critical DHS assets.\n\n                          The BIA helps to identify and prioritize critical IT systems and\n                          components. BIAs are also essential for contingency planning.\n                          For example, a BIA would allow CBP to identify maximum\n                          tolerable downtime, the resources required to resume\n                          mission/business processes, and recovery priorities for system\n                          resources.\n\n                          In response to our requests for the BIAs associated with the\n                          identified systems, CBP staff at ORD said that BIAs were required\n                          only for Operations.8 Without performing a BIA, CBP cannot be\n                          assured that its backup and recovery plans meet the needs of the\n\n\n8\n According to NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems,\n"COOP focuses on restoring an organization\'s mission essential functions (MEF) at an alternate site and\nperforming those functions for up to 30 days before returning to normal operations."\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                 Page 13\n\n\x0c                business owners (e.g., recovery time objective and recovery point\n                objective).\n\n       Recommendations\n                We recommend that the CBP Chief Information Officer (CIO):\n\n                Recommendation #1: Relocate telecommunications equipment so\n                that the potential for accidental damage is minimized; obtain\n                temperature and humidity sensors, and ensure that server rooms are\n                maintained within DHS\' recommended ranges.\n\n                Recommendation #2: Explore near- and long-term solutions to\n                its business continuity issues at ORD. Potential solutions would\n                include purchasing additional extended-life laptop batteries,\n                analyzing how many passengers per hour are processed using\n                PALS laptops, and purchasing enough PALS laptops to process\n                ORD passengers within an acceptable timeframe.\n\n                Recommendation #3: Determine if it is cost effective to establish\n                redundant telecommunications services at         identified CBP\n                locations.\n\n                Recommendation #4: Perform scans\n                periodically to identify vulnerabilities, and then take corrective\n                actions to reduce these vulnerabilities.\n\n                Recommendation #S: Update the Central Field LAN\'s FIPS 199\n                Workbook with all relevant information.\n\n                Recommendation #6: Prepare a PIA for the Central Field LAN.\n\n                Recommendation #7: Prepare the missing BIAs for the identified\n                CBP systems operating at ORD.\n\n\n       Management Comments and OIG Analysis\n                We obtained written comments on a draft of this report from the\n                CBP Assistant Commissioner for Internal Affairs. We have\n                included a copy of the comments in their entirety at appendix B.\n                The CBP Assistant Commissioner concurred with all seven\n                recommendations.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 14\n\n\x0c                Recommendation 1\n\n                In response to recommendation 1, CBP will move two racks,\n                relocate cables, and purchase temperature and humidity sensors.\n                These actions are dependent upon available funding.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation.\n                This recommendation is considered resolved, but will remain open\n                until CBP provides documentation to support that the planned\n                corrective actions are completed.\n\n                Recommendation 2\n\n\n\n\n                OIG Analysis\n\n                CBP\'s actions satisfy the intent of this recommendation. However,\n                CBP needs to address the other issues we raised, including\n                obtaining sufficient resources, such as long-life batteries, to\n                process passengers in a timely manner during an outage. This\n                recommendation is considered resolved, but will remain open until\n                CBP provides documentation to support that the planned corrective\n                actions are completed.\n\n                Recommendation 3\n\n                In response to recommendation 3, CBP has determined that\n                redundant communications circuits are not needed for locations\n                with fewer than 50 employees. Additionally, according to CBP, it\n                has taken actions at the Port Office to install redundant circuits and\n                will provide evidence to document that this has occurred.\n                OIG Analysis\n\n                We agree that the actions being taken satisfy the intent of this\n                recommendation. This recommendation is considered resolved,\n                but will remain open until CBP provides documentation to support\n                that the planned corrective actions are completed.\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 1S\n\n\x0c                          Recommendation 4\n\n                          In response to recommendation 4, CBP is routinely performing\n                          vulnerability assessment scans of its               Additionally,\n                          CBP is taking actions to decommission and replace these servers.\n\n                          OIG Analysis\n\n                          We agree that the actions being taken satisfy the intent of this\n                          recommendation. This recommendation is considered resolved,\n                          but will remain open until CBP provides documentation to support\n                          that the planned corrective actions are completed.\n\n                          Recommendation S\n\n                          In response to recommendation 5, CBP has removed PALS data\n                          from its Central Field LAN. According to CBP, because the PALS\n                          data has been removed, the FIPS Workbook data for the Central\n                          Field LAN are now accurate. CBP requests that we close this\n                          recommendation.\n\n                          OIG Analysis\n\n                          We do not agree that CBP has addressed this recommendation in\n                          full. The inclusion of PALS data on the Central Field LAN was\n                          only one of the reasons to update the FIPS 199 Workbook. For\n                          example, in this report we also documented that the FIPS 199\n                          Workbook may not be accurate as it did not include all activities\n                          supported by the Central Field LAN.\n\n\n\n\n                          Recommendation 5 is considered unresolved and open pending\n                          verification that the actions being taken satisfy the intent of this\n                          recommendation.\n\n\n9\n Lessons Learned from the August 11, 2007, Nettork Outage at Los Angeles International Airport (OIG-\n08-58), May 2008.\n\n          Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                 Page 16\n\n\x0c\x0cICE Did Not Comply Fully With DHS Sensitive System Policies\n        ICE could strengthen operational and management controls for its servers\n        and switches operating at facilities near ORD. For example, ICE could\n        improve environmental controls for these systems. ICE should also\n        determine whether redundant telecommunications services are cost\n        effective for its ORD locations. Additionally, ICE should continue efforts\n        to document the systems at ORD more accurately. Collectively, these\n        deficiencies could place at risk the confidentiality, integrity, and\n        availability of the data stored, transmitted, and processed by ICE at ORD.\n\n                 Operational Controls\n\n                 Onsite implementation of operational controls that did not conform\n                 fully to DHS policies included inadequate temperature and\n                 humidity controls and the inappropriate placement of IT equipment.\n\n                 Environmental Controls\n\n                 ICE\'s operational controls over wire closets and server rooms at\n                 ORD locations could be strengthened. For instance, one of ICE\'s\n                 server rooms did not have automated fire suppression or a smoke\n                 detector. Additionally, there was excess storage in this room (see\n                 figure 2). Further, there were no temperature or humidity sensors.\n                 At this location, the humidity and temperature were not within the\n                 ranges recommended by DHS server room guidance.\n\n\n\n\n                              Figure 2: Storage in room with ICE IT equipment.\n\n                 ICE plans to relocate equipment at this site to a more appropriate\n                 facility. However, these plans have been delayed owing to budget\n                 constraints. Additionally, according to ICE staff, this site is\n                 exempted from government fire suppression requirements because\n                 ICE is occupying less than 35,000 square feet and the offices are\n                 not above the fifth floor.\n\n Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                        Page 1S\n\n\x0c                Although the humidity in an ICE server room at a second location\n                was within DHS server room guidance, no humidity sensor was\n                present.\n\n                According to DHS Directive 4300A,\n\n                         Controls for deterring, detecting, restricting, and regulating\n                         access to sensitive areas shall be in place and shall be\n                         sufficient to safeguard against possible loss, theft,\n                         destruction, damage, hazardous conditions, fire, malicious\n                         actions, and natural disasters.\n\n                According to the DHS 4300A Handbook,\n\n                         The following should be considered when developing a\n                         strategy for temperature and humidity control:\n\n                         \xe2\x80\xa2\t Temperatures in computer storage areas should be held\n                            between 60 and 70 degrees Fahrenheit. Most systems\n                            will continue to function when temperatures go beyond\n                            this range, but the associated risk to data is increased.\n                            (Check individual system documentation for the proper\n                            levels.)\n\n                         \xe2\x80\xa2\t Humidity should be at a level between 35 percent and\n                            65 percent. Most systems will continue to function\n                            when humidity goes beyond this range, but the\n                            associated risk to data is increased. (Check individual\n                            system documentation for the proper levels.)\n\n                ICE needs to better monitor and control the humidity and\n                temperature in its server rooms at ORD. Low humidity can result\n                in static, and high temperatures can damage sensitive elements of\n                computer systems.\n\n                Redundant Telecommunications Services\n\n                ICE has not established redundant telecommunications services at\n                its ORD locations. Specifically, only one telecommunications\n                circuit services the users at each of the two locations. As a result,\n                performance of mission-critical activities at these locations is\n                vulnerable to disruptions in the event of a telecommunications\n                failure.\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 19\n\n\x0c                According to DHS 4300A Handbook Attachment M, Tailoring the\n                NIST SP 800-53 Security Controls,\n\n                         Risk and Infrastructure - A risk-based management\n                         decision is made on the requirements for telecommunication\n                         services. The availability requirements for the system will\n                         determine the time period within which the system\n                         connections must be available. If continuous availability is\n                         required, redundant telecommunications services may be an\n                         option. Once a decision is made on the requirements for\n                         telecommunications services, agreements must be made\n                         between the appropriate officials involved.\n\n                         Risk - NIST 800-53 allows for downgrading this security\n                         control for availability. This is appropriate when (1) the\n                         availability impact level is upgraded to meet the "high\n                         water mark" process, (2) supported by an organizational\n                         risk assessment, [and] (3) does not impact the security\n                         relevant information at the system level.\n\n                ICE should conduct a risk assessment to determine whether\n                redundant telecommunications services would be appropriate for\n                staff at these two locations.\n\n                Management Controls\n\n                ICE\'s implementation of management controls for systems\n                operating at ORD did not conform fully to DHS policies.\n                Specifically, ICE should establish BIAs for its systems operating at\n                ORD and also better document the accreditation boundaries for\n                these systems.\n\n                Missing Business Impact Assessment\n\n                ICE had not prepared a BIA for SAC Midwest GSS. According to\n                the DHS 4300A Handbook,\n\n                         The Business Impact Assessment (BIA) is essential in the\n                         identification of critical DHS assets.\n\n                The BIA helps to identify and prioritize critical IT systems and\n                components. BIAs are also essential for contingency planning.\n                For example, a BIA would allow ICE to identify maximum\n                tolerable downtime, the resources required to resume\n                mission/business processes, and recovery priorities for system\n                resources. Without performing a BIA, ICE cannot be assured that\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 20\n\n\x0c\x0c       Recommendations\n                We recommend that the ICE CIO:\n\n                Recommendation #S: Improve physical security and\n                environmental controls at ORD sites by obtaining smoke detectors\n                and humidity/temperature sensors; ensure that server rooms are\n                maintained within DHS\' recommended temperature and humidity\n                ranges; and provide barriers protecting IT infrastructure from being\n                inadvertently damaged in a supply room.\n\n                Recommendation #9: Determine if it is cost effective to establish\n                redundant telecommunications services at the two identified ICE\n                locations.\n\n                Recommendation #10: Prepare a BIA for the SAC Midwest GSS.\n\n                Recommendation #11: Continue to establish nationwide systems\n                to resolve known deficiencies with the ICE Midwest GSS\n                accreditation boundaries.\n\n       Management Comments and OIG Analysis\n                We obtained comments on a draft of this report from ICE\'s Chief\n                Financial Officer. We have included a copy of the comments in\n                their entirety at appendix B. Separately, ICE provided evidence\n                that a fire extinguisher is now outside the server room. This action\n                will be included in the body of the report and the wording "fire\n                extinguisher" will be removed from the recommendation.\n\n                ICE did not concur with recommendations 8, 9, and 10. ICE\n                concurred with recommendation 11.\n\n                Recommendation S\n\n                ICE did not concur with this recommendation. In response to\n                recommendation 8, ICE acknowledged the physical and\n                environmental deficiencies in its office. However, ICE cannot\n                require building management to retrofit one suite in the dual-use\n                facility, and the building manager did not agree to renovate the\n                ICE suite. Further, according to ICE, there are no funds available\n                to relocate. ICE requests that OIG consider this recommendation\n                closed.\n\n                OIG Analysis\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 22\n\n\x0c                             We do not agree that this recommendation should be closed.\n                             Although ICE may not currently have the funding to relocate to a\n                             more appropriate facility, ICE should enact compensating physical\n                             and environmental controls. For example, ICE should assess the\n                             feasibility of installing smoke detectors. Recommendation 8 is\n                             considered unresolved and open until ICE provides documentation\n                             to support that the planned corrective actions are completed.\n\n                             Recommendation 9\n\n                             ICE did not concur with this recommendation. In response to\n                             recommendation 9, ICE documented its Office of the Chief\n                             Information Officer Enterprise Operations process for determining\n                             which sites require redundant communications. According to ICE,\n                             most RAC offices are near a SAC office where redundancy exists.\n                             Additionally, to provide redundancy at well over 600 field sites\n                             would cost millions of dollars. Further, a Continuity of Operations\n                             Plan (COOP) is currently in place should the need arise. ICE\n                             requests that OIG consider this recommendation closed.\n\n                             OIG Analysis\n\n                             We agree with ICE\'s response and have closed this\n                             recommendation.\n\n                             Recommendation 10\n\n                             ICE did not concur with recommendation 10. According to ICE,\n                             DHS does not provide a BIA template and ICE does not have a\n                             requirement for a BIA for individual systems. ICE\'s Disaster\n                             Recovery Branch maintains an enterprise-level BIA and updates it\n                             as necessary. Further, ICE will have a BIA when the new\n                             nationwide Type Accreditation package receives an authorization\n                             to operate. ICE requests that OIG consider this recommendation\n                             closed.\n\n                             OIG Analysis\n\n                             We do not agree that this recommendation should be closed.\n                             Although DHS guidance is not clear concerning BIAs, NIST has\n                             provided government-wide guidance and templates in this area.11\n                             For example, according to NIST SP 800-34,\n\n\n\n11\n     NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems.\n\n             Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                    Page 23\n\n\x0c                         COOP functions are subject to a process-focused BIA;\n                         federal information systems are subject to a system-focused\n                         BIA.\n\n                Recommendation 10 is considered unresolved and open until ICE\n                provides documentation to support that the planned corrective\n                actions are completed.\n\n                Recommendation 11\n\n                In response to recommendation 11, ICE is currently developing a\n                new security authorization package to address the IT assets at\n                Chicago O\'Hare. ICE will assess the accreditation boundary at\n                ORD and other sites before obtaining the new authorization to\n                operate. The estimated completion date is December 2011.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation.\n                This recommendation is considered resolved, but will remain open\n                until ICE provides documentation to support that the planned\n                corrective actions are completed.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 24\n\n\x0cTSA Did Not Comply Fully With DHS Sensitive System Policies\n        TSA could strengthen operational, technical, and management controls for\n        its servers operating at facilities near ORD. For example, TSA could\n        improve environmental and contingency planning controls. TSA should\n        also perform vulnerability scans on all servers at ORD. Additionally, TSA\n        should prepare BIAs for the IT systems operating at ORD. Collectively,\n        these deficiencies could place at risk the confidentiality, integrity, and\n        availability of the data stored, transmitted, and processed by TSA at ORD.\n\n                 Operational Controls\n\n                 Onsite implementation of operational controls that did not conform\n                 fully to DHS policies included inadequate temperature and\n                 humidity controls. Additionally, onsite IT assets may be\n                 insufficient to ensure continuity of TSA operations at ORD.\n\n                 Environmental Controls\n\n                 TSA\'s operational controls over server rooms could be\n                 strengthened. Specifically, during our fieldwork, all seven server\n                 rooms had lower humidity than recommended by DHS guidance.\n                 Further, only one of the seven server rooms\' temperature was\n                 within the range recommended by DHS guidance.\n\n                 According to the DHS 4300A Handbook,\n\n                    The following should be considered when developing a strategy\n                    for temperature and humidity control:\n\n                    \xe2\x80\xa2\t Temperatures in computer storage areas should be held\n                       between 60 and 70 degrees Fahrenheit. Most systems will\n                       continue to function when temperatures go beyond this\n                       range, but the associated risk to data is increased. (Check\n                       individual system documentation for the proper levels.)\n\n                    \xe2\x80\xa2\t Humidity should be at a level between 35 percent and 65\n                       percent. Most systems will continue to function when\n                       humidity goes beyond this range, but the associated risk to\n                       data is increased. (Check individual system documentation\n                       for the proper levels.)\n\n\n\n\n Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                        Page 2S\n\n\x0c                TSA needs to better monitor and control the humidity and\n                temperature in its server rooms. Low humidity can result in static,\n                and high temperatures can damage sensitive elements of computer\n                systems.\n\n                After our fieldwork, TSA decommissioned servers and removed\n                them from two of the server rooms. Additionally, TSA has\n                adjusted the temperature and humidity in two of the other server\n                rooms to ensure that they are within DHS guidance. Further, TSA\n                is working to bring the temperature and humidity in the remaining\n                three server rooms to within DHS guidance.\n\n                Redundant Telecommunications Services\n\n\n\n\n                According to DHS 4300A Handbook Attachment M, Tailoring the\n                NIST SP 800-53 Security Controls,\n\n                         Risk and Infrastructure - A risk-based management\n                         decision is made on the requirements for telecommunication\n                         services. The availability requirements for the system will\n                         determine the time period within which the system\n                         connections must be available. If continuous availability is\n                         required, redundant telecommunications services may be an\n                         option. Once a decision is made on the requirements for\n                         telecommunications services, agreements must be made\n                         between the appropriate officials involved.\n\n                         Risk - NIST 800-53 allows for downgrading this security\n                         control for availability. This is appropriate when (1) the\n                         availability impact level is upgraded to meet the "high\n                         water mark" process, (2) supported by an organizational\n                         risk assessment, [and] (3) does not impact the security\n                         relevant information at the system level.\n\n                Currently, TSA is investigating the use of a local metropolitan area\n                network at ORD to improve reliability and also to reduce costs by\n                consolidating the number of circuits by interconnecting the\n                terminals via optical fiber.\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 26\n\n\x0c                As noted earlier in this report, CBP has established redundant\n                telecommunications services for its ORD Terminal 5 location.\n                TSA may utilize the same redundant DHS OneNet circuits being\n                used by CBP as its alternative circuits to provide cost-effective\n                redundancy at TSA\'s ORD terminal locations.\n\n                Technical Controls\n\n                Some of TSA\'s servers at ORD are part of the STIP IT system (see\n                figure 3). These STIP servers are not attached to a wide area\n                network and have not been scanned for vulnerabilities. TSA\'s\n                Assessment and Authorization process had not completely\n                assessed these stand-alone systems. Further, a recent TSA\n                Technical Vulnerability Audit of the TSA network did not\n                document the existence of these servers as they were not within the\n                audit scope. As a result, TSA had not performed vulnerability\n                scans on these servers at the time of our fieldwork. Without\n                performing scans to identify vulnerabilities, TSA may not be\n                taking the necessary corrective actions to reduce the impact of\n                these vulnerabilities. After our fieldwork, TSA Information\n                Assurance and Cyber Security Division staff scanned the STIP\n                servers for vulnerabilities and are working to resolve them.\n\n\n\n                                         _\n\n\n\n\n                Figure 3: TSA rack diagram from internal TSA report (left) and picture of\n                the same TSA cabinet onsite (right).\n\n                According to the DHS 4300A Handbook,\n\n                         Components shall conduct vulnerability assessments and/or\n                         testing to identify security vulnerabilities on information\n                         systems containing sensitive information annually or\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 27\n\n\x0c                         whenever significant changes are made to the information\n                         systems.\n\n                Management Controls\n\n                TSA\'s implementation of management controls for systems\n                operating at ORD did not conform fully to DHS policies.\n                Specifically, TSA should prepare BIA documentation for these\n                systems.\n\n                Missing Business Impact Assessments\n\n                TSA has not prepared BIAs for the four systems operating at ORD.\n                According to the DHS 4300A Handbook,\n\n                         The Business Impact Assessment (BIA) is essential in the\n                         identification of critical DHS assets.\n\n                The BIA helps to identify and prioritize critical IT systems and\n                components. BIAs are also essential for contingency planning.\n                For example, a BIA would allow TSA to identify maximum\n                tolerable downtime, the resources required to resume\n                mission/business processes, and recovery priorities for system\n                resources.\n\n                TSA currently has an enterprise-level BIA process to address\n                systems that have been identified as mission critical. TSANet is\n                the only TSA-designated mission-critical system residing at ORD.\n\n                Without performing a BIA, TSA cannot be assured that its backup\n                and recovery plans meet the needs of the business owners\n                (e.g., recovery time objective and recovery point objective).\n\n       Recommendations\n                We recommend that the TSA CIO:\n\n                Recommendation #12: Take steps to ensure that server rooms are\n                maintained within DHS\' recommended temperature and humidity\n                ranges.\n\n                Recommendation #13: Continue efforts to improve the reliability\n                of telecommunications circuits at ORD, and work with CBP to\n                determine whether it is cost effective to use the redundant DHS\n                OneNet circuits to provide TSA with alternate telecommunications\n                services at ORD terminal locations.\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 2S\n\n\x0c                Recommendation #14: Ensure that all TSA servers at ORD are\n                scanned annually.\n\n                Recommendation #1S: Prepare the missing BIAs for the\n                identified TSA systems operating at ORD.\n\n       Management Comments and OIG Analysis\n                We obtained written comments on a draft of this report from\n                TSA\'s Administrator. We have included a copy of the comments\n                in their entirety at appendix B. The Administrator concurred with\n                our recommendations and also provided further information on\n                actions that TSA has already taken to resolve reported deficiencies.\n                These recommendations will be considered resolved but open\n                pending verification of all planned actions.\n\n                Recommendation 12\n\n                In response to recommendation 12, TSA will work with contractors\n                to ensure that the server rooms in its areas operate within DHS\n                recommended temperature and humidity ranges. TSA will also\n                install sensors and warning devices to alert personnel when the\n                operating environment is not within the recommended ranges.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation.\n                This recommendation is considered resolved, but will remain open\n                until TSA provides documentation to support that the planned\n                corrective actions are completed.\n\n                Recommendation 13\n\n                In response to recommendation 13, TSA will determine if it is cost\n                effective to use DHS OneNet circuits or a local metropolitan area\n                network to provide redundant communications.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation.\n                This recommendation is considered resolved, but will remain open\n                until TSA provides documentation to support that the planned\n                corrective actions are completed.\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 29\n\n\x0c                Recommendation 14\n\n                In response to recommendation 14, TSA scans its servers annually.\n                TSA has also assessed its servers for vulnerabilities and is working\n                to correct them.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation.\n                This recommendation is considered resolved, but will remain open\n                until TSA provides documentation to support that the planned\n                corrective actions are completed.\n\n                Recommendation 1S\n\n                In response to recommendation 15, TSA has an enterprise-level\n                BIA process to address mission-critical systems, including the\n                TSANet. Additionally, TSA is starting a review to prioritize the\n                development of BIAs for identified systems. TSA provided\n                information on other supporting documents, including risk\n                assessment, COOPs, and contingency plans.\n\n                OIG Analysis\n\n                The actions being taken satisfy the intent of this recommendation\n                as they concern mission-critical systems. This recommendation is\n                considered resolved, but will remain open until TSA provides\n                documentation to support that the planned corrective actions are\n                completed.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                       Page 30\n\n\x0c\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                                                                     \xc2\xb7e.\n                                                                                 1300 Penruylnn1a Avenue NW\n                                                                                 Washington. DC 20229\n\n\n                                                                                 US. Customs and\n                                                                                 Border Protection\n                                                                               September 16. 20 II\n\n\n\n           MBMORANDUM FOR: FRANK DEFFER\n                           ASS ISTANT INSPECTOR OENERAL FOR IT AUDITS\n                           DEPARTMENT OF HOMELAND SECURITY\n\n           FROM:                    Assistant commiSSione~     \'/\' _ _______\n                                    Office of Internal Affairs ~\xc2\xa5\n                                    U.S. Customs and Bord r Protection\n\n           SUBJECT:                 Response to the Office of Jnspector General \' s Draft Report\n                                    Entitled, "Technical Security Eva luation ofDHS Activities at\n                                    Chicago O\'Hare International Airport"\n\n           Thank you for providing us with a copy of your draft report entitled "Technical Security\n           Evaluation of DHS Activities at Chicago O\'Hare International Airport," and the\n           opportunity to comment on the issues in th is report.\n\n           The report contains seven recommendations directed to U.S. Customs and Border\n           Protection (CBP). A summary of CBP actions and corrective plans to address the\n           recommendations is provided below:\n\n           Reco mm end ation # 1; Relocate telecommunications equipment so that the potential for\n           accidental damage is minimized; obtain temperature and humidity sensors and ensure that\n           server rooms are maintained within DHS\' recommended ranges.\n\n           CDP Response; Concur. CBP will move the two racks from the side switch rooms to a\n           future identified location and relocate the cables to that new location. CBP will purchase\n           temperature and humidity sensors with memory for each room identified by the audit.\n           These actions are dependent upon funding.\n\n           Completion Date: October 1, 201 1\n\n           Recommendation #2: Explore near- and long-tenn solutions to its business continuity\n           issues at ORD. Potential solutions would include purchasing additional extended\xc2\xa5life\n           laptop batteries, analyzing how many passengers per hour are processed using PALS\n           laptops, and purchasing enough PALS laptops to process ORO passengers within an\n           acceptable time frame.\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\xe2\x80\x99Hare International Airport\n\n\n                                                      Page 32\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                             2\n\n\n\n\n             Recommendation #3:                                        to estab li sh red undant\n                                                                         locations.\n\n             e Rr Response: Concur. At the International Mail Oranch (C llIOO4). CB P has determined\n             that it is not cost effective to establish redundant telecommunications services at\n             C HI004A because it has fewer than 50 users.\n\n             CBP has determined that 99 15 Bryn MU\\\\T CI:3P Port Uft-Ice (RJ\\-r1 007A) is a candidate\n             for redundant telecommunications serv ices. A Notice of Finding and Recommendation\n             was acct=pLtx.I anu a site design/Lt:ch rdresh has been completed for the site to bring it to\n             current spcci fications.\n\n             CBP has determined that it is not cost effective 10 establi sh redundant telecommuni cations\n             services at 9450 Dryn Mawr (RMT008A) because it has fewer than 50 users.\n\n             Completion Date: Complete. CBP will prov ide 5upponing documentation to 010 .\n\n             H.ecommendntioD #4: Perform scans ofCB P\'s\n             vulnerabil iti es, and then take corrective actions\n                                                                                 ,el;:~~:~:;\\~\'\n                                                                                 u         I i\n                                                                                               elts~O identify\n\n         ~Concur.                     CBP routinely performs vulnerabi lity assessment scans on\n         _                  CB P is in the process of decommissioning these servers and repl acing\n             them wit h Windows File and Print servers.\n\n             Completion Date : TBD\n\n             H.ecommendntion #5: Updnte the Central Field LAN\'s FIPS 199 Workbook with al l\n             relevant infonnation.\n\n             eRP Response: Concur. Thi s recommendation is now obsolete as CDP has removed all\n             PALS data from the Central Field LAN and therefore it no longer contains personally\n             ide ntifiable informati on (PH). The FIPS 199 is currentl y moderate. Since there ifno PH ,\n             there is no reason for the system to be considered high .\n\n             Cnmrletion Date: Com plete. CBP respectfu ll y requests closure of this recommendation.\n\n             Recommendation ff6: Prepare a PIA tor the Central Field LAN.\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                          Page 33\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                         3\n\n\n\n\n           Completion Dllte: Complete. CBP is requesting closure of this recommenuation hased\n           on the removal of all PALS data from the Central Fie ld LAN.\n\n           Recommendation 147: Prepare the missing BIAs for the identified CBP systems operating\n           aIORD.\n\n           CBP Response: Concur. CB P will prepare the Rusiness Impact Analysis\' (BIAs) for the\n           Central Field LA!\'-., (Jlobal Entry, Non-Intrusive Inspection (N il) Sylt::ms, and TEeS .\n           However, CBP will not be completing a HIA for DHS DncKet as it is a General Support\n           System (GSS), flot an operational system. DHS does not have a policy requirement to\n           complete a BIA at the system level.\n\n          As the ass for DH S, all OneNet systems have High availability or red undancy built in.\n          OneNe! can provide metfies to a componenl or application to help them determine the\n          BIA of their system. One~et offers the opportunity for m.ission critical sites/ systems to\n          order diverse services to achieve even higher avai lability standards, but the detemlination\n          and o rdering of these servic~s is a Component responsibility.\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                     Page 34\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                          4\n\n\n           As the ass, il is inappropriate for OneN"et to quantify in a BrA what is critical. Criticality\n           of systems is assigned at the application level. I.E., OrleNet cannnt Jt!cide whal systems\n           are critical tor TEeS, or other applications.\n\n           DHS OneNet and Redu ndant TnJsted Internet Connection (RTIC) provide redundancy\n           based on the fact that they have a "I-IlGH" CIA (Confidentiaiity/lntegrity/A vai labil ity)\n           categorization across the board.\n\n           Completio n Date: August 30, 2012\n\n           \\\\lith regard to the sensitivity of the draft report, CBP has identified infonnation within the\n           repOit requi ri ng re~ l rided public access based on a designation of "For Official Lse Only\'"\n           as it could be used by adversarial parties which seek to cause harm either to the e RP\n           systems or to individuals who would be aftected by unauthorized d isclosure of the\n           information. Therefore, CBP also includes sensitivity and technical comments to the draft\n           report in an attachment to this letter.\n\n           If you have any questions regarding this response, please contact me or have a member of\n           your staff contact Ms. Ash ley Roone, CBP Audit Liaison, at (202) 344\xc2\xb72539.\n\n           Attachments\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                      Page 3S\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                                                                           U.S. Depanl1ltnt or lI ol1ltlllid SH Url lY\n                                                                           lOO 12th Sln:I;l, SW\n                                                                           Wpghington, D C. 20536\n\n\n                                                                           u.s. Immigration\n                                                                           and Customs\n                                                                           Enforcement\n\n                                                 October 5, 2011\n\n\n         MEMORANDUM FOR: Frank Deffer\n                         Assistant Inspector General for Information Technology\n                         Office of Inspector~\'  eral\n\n         FROM:                     Radha C. Sekar\n                                   Chief Financial Of I   r\n\n         SUI3JECT:                 ICE Response for Recommendations 8-11 of the OIG Draft Report:\n                                   "Technical Security Evaluation ofDHS Activities at Chicago O \' Hare\n                                   International Airpon", dated Allgust 3, 20 11.\n\n\n         U.S. Immigration and Customs Enforcement (ICE) appreciates the opportunity to comment on\n         the four recommendations directed towards ICE in the subject draft report, Attached is our\n         response [0 OICi recommendations 8-11 for action by ICE.\n\n         ICE is requesting OIG consider recommendations 8. 9 and 10 closed. We are requesting\n         recommendatiun II he considered resolved and open pending compleLion of ICE\'s new Security\n         Authorization package.\n\n         Shuuld yuu have any queslion s or l:um:ems, please l:onLact \\.1ichae1 Moy , OIG porlrolio\n         Manager at (202) 732-6263 or by c-mail at MiehacI.Moy@dhs.go_v.\n\n         Attachment\n\n\n\n\n                                                                           www.ice.gov\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                    Page 36\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                    u.s. Immigration and Cn stoms E nforcement\n                                               Respon se to UIG Draft Report:\n               T ech . Sec llrit)-\' E v a l. QrDHS Activities ~1 Chica gu O\' H :ue Tn1\'1. Airport (ORO)\n                                                Recommendation s 8 - 11\n\n\n         Recommendation # 8: Improve physical security and environmental controls at ORO sites by\n         obtaining smoke detectors, fire extinguishers, and humidity/temperature sensors; ensure that\n         ~erver TUoms are mainlaim::u within DHS\' rt;commended temperature and hum idity ranges; and\n         provide barriers protecting IT infrastructure from being inadvertently damaged in a supply room.\n\n         ICE Respouse # 8 : ICE does oat concur with this recommendation. ICE recognizes the\n         physical and environmental deficiencies at the ORD site. However, as a tenant of a dual-use\n         (commercial1government) faci lity, ICE cannot apply the recommended modifications to the\n         faci lity without approval from Bui lding .\\fanagement. Bui lding Management has stated that they\n         cannot retrotit a single sui te in the dual-use fac ility for a single tenant. Additionally, ICE cannot\n         relocate to another faciliry until funds become available and a new facility is located. ICE must\n         accept the physical and environmental risks associated with the c\xc2\xb7urrent facility. rCE requests\n         OrG consider this recommendation as closed.\n\n\n         Recommendation # !): Detennine ifit is cost-effective to establish redundant\n         telecommunications services at the two identi fied ICE locations.\n\n         ICE Response # !) : ICE does not concur with this recommendation. ICE OCIO Enterprise\n         Opt:rations has a prm;t:ss fur udt:rmining whkh sites Te4uirt: rt:dundanl cummunicaliulls. Ba~t:<1 un rouyh\n         estimates, there are well over bOO satelhte field sites throughout the country. Based on the numbers, leE\n         has dctcrrnined that to install and maintain redundant cirCUIts for these mainly small sites would cost\n         millions of doll2.fS. The vast maj ority ofRACIOPR Offices are located within proximity of the SAC\n         Officc whcrc redundancy cxists. Continuity ofOpcrations is currently in place throughout ICE/OCIO if\n         andlor when the need should arise . Therefore, ICE requests OIG consider this recommendation\n         closed.\n\n\n         Recommendation # 10: Prepare a BlA for the SAC Midwest GSS.\n\n         ICE Response # 10: ICE does not concur with this recommendation. ICE does not currently\n         have a policy in place requiring Business Impact Analysis (BlA) for individual systems and is\n         not aware ofa DHS standard or temp late for completing one to a specific VHS standard.\n         However, the ICE Disaster Recovery Branch mai ntains an enterprise-level BIA for ICE and\n         updates it as required. As mentioned in the report, SAC Midwest GSS (General Support System)\n         is currently undergoing a process of merging into an overarching nationwide l\'ype Accreditation\n         package. ICE will have BrA when the new nationwide Type Accreditation package receives an\n         ATO. ICE requests OIG consider this recommendation as closed.\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                        Page 37\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n                                       Respon se to OIG Draft Report:\n               Tecb. Security Eval. Of DBS Activities at Chicago O \' Hare Int\' l. Airport (ORD)\n                                            R ~l.:llmmelldaljnns   8 - 11\n\n\n         Recommendation # II : Continue to establish nationwide systems to resolve known\n         deficiencies with the ICE Midwest GSS accreditation boundaries.\n\n         ICE Response # 11: ICE concurs wi th this recommendation. ICE is currentl y developing a\n         new Security Authorization package to address workstations, file servers, and print servers at\n         Chicago O\'Hare Airpon (ORD) and other fie ld offices. rCE will assess the accreditation\n         boundary at ORD and other sites prior to obtaining the new Authorization-ta -Operate.\n\n         ICE requests OIG consider lhis recommendation as resolved and open pending completion of\n         [eE\'s assessment and new Security Authorization package. Estimated comp letion date is\n         December 20 11.\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                    Page 3S\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                                 U$. OqllrtmUI or lIomr lnd SKurily\n                                                                                 601 So\\llh 12th Street\n                                                                                  Arllft&torI. VA 20598\n\n           OCT    6 lon                                                          Transportation\n                                                                                 Security\n                                                                                 Administration\n                                                 INFORMATION\n\n\n        MEMORANDUM FOR:               Charles K. Edwards,\n                                      Acting Inspector Genera l\n                                      U.S. Depanment ofHomelan~        Sp\n        FROM :                        John S. p i , t o l d       J.    i./   ~\n                                      Admin istratoO \'\n\n        SUBJECT:                       Draft Report : Technical SecllrilY EVlIllltlliOIl of\n                                       DI-IS Aclivities (l{ Chicago 0 \'f/are International Airport\n                                       OIG Project No. 11-005-ITA-DHS\n\n\n\n\n        This memorandum is the Transportation Security Administration (TSA) formal response to a\n        July 20 It report from the U.S. Department of Homeland Security (DHS) Office of Inspector\n        General (O IG) titled Technical Security Evaillation of DHS Actil1ities at Chicago 0 \'J-!are\n        Internarimltll Airport. TSA recognizes the imporlance of effective management, and operational\n        and technical controls to protect sens itive infonnation processed through TS A assets, and we\n        appreciate the opportunity to comment on OIG \'s draft report .\n\n         Background\n\n         As part ofOIG \'s Technical Secu rity Evaluation Program, OIG evaluated DHS components\'\n         information-technology securi ty at Chicago O \' Hare International Airport (ORO). On April 20,\n         2011, O IG commenced its audit ofTSA, U.S. Customs and Border Protec tion (CBP). and U.S.\n         Immigration and Customs Enforcement assets at ORO. The audit \' s objective was to determine\n         wh ether the information-technology security controls implemen ted at ORO had de fi ciencies that,\n         if exploited, could result in the loss ofconlident iality. integrity, and availability or the\n         components\' information-technology systems. The audi t included staff interviews. a review or\n         app licable polic ies and procedures, technical tests ofintemal controls, and onsite inspections of\n         areas with TSA assets.\n\n         Discussion\n\n         As noted in the draft report, OIG determ ined that TSA could strengthen operational controls over\n         server rooms regarding temperature and humidity. OIG, however, did not detect the deficiency\n         of any additional physical security controls that protect the TSA network and devices. A lack of\n         cost effective telecommunications services was noted within the O IG report; however, ORO has\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                     Page 39\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                                          2\n\n       mitigati ng factors in p lace. D IG found missing Business Impact Assessments (B IAs) for fou r\n       systems at ORD. BIAs are used to help identify and protect critical Information Technology (IT)\n       systems. TSA currently conducts BIAs only fo r identified mission-critical systems.\n\n        DIG has acknowledged that TSA has decommissioned servers, adjusted the temperature and\n        humidity in two of the other server rooms, and is working to bring the temperature and humid ity\n        in the remaining three server rooms 10 be withi n DHS guidance. TSA concurs with the fou r\n        recommcndaiions below and appreciates D IG\'s efforts 10 improve the protection ofTSA\n        infrastructure at ORD.\n\n        O IG Recommen da tion # 12: Take steps to ensure that server rooms are main tained within\n        DHS\' recommended temperature and humidity ranges.\n\n        TSA Conc urs : This recommendation is for the operati ng environments of ORD IT cabinets that\n        house servers. There were locations specifically identified by the OIG that were not in\n        compliance with the DHS operational requirement TSA has laken the fo llowing steps to ensure\n        that thc temperature and humid ity ranges at these locat ions are operati ng per DHS requirements:\n\n           \xe2\x80\xa2   The ORO IT Specialist is curre ntly working with the GE Morpho and L3 contracting\n               compan ies to address the temperature and humidity leve ls in the server rooms.\n\n           \xe2\x80\xa2   A Netbotz device has been implemented to alert the appropriate personnel if temperature\n               and humidity thresholds are exceeded.\n\n           \xe2\x80\xa2   The Terminal 2 Mezzani ne location currently has a standalone Liehert temperature and\n               humidity control unit im plemented with an operat ing temperature of 65 degrees\n               Fahrenheit and 45 percent relat ive humid ity respectively. The Liebert temperatu re and\n               humidity unit sounds an alarm when operating temperature and humidity thresholds are\n               exceeded .\n\n        O IG Recommeodation # 13: Continue efforts to improve the re liab ili ty of Ie Iecommunications\n        circuits at ORD. and work with CBP 10 determine whether it is cost-effective to usc the\n        redundant DHS OneNet circuits to prov ide TSA with alternate telecommunications services at\n        ORO terminal locations.\n\n        TSA Concurs: TSA is working with CBP to determine whether it is cost-effective to use the\n        redundant OHS One et circuits to provide TSA with cost-effective redundancy at ORO terminal\n        locations. Add itionally. TSA is investigating the use of local Metropolitan Area Network\n        (MAN) at ORO for improved reliability. while allhe same time reducing costs by consolidating\n        the number of circuits by interconnecting the term inals via optical fiber ,\n\n        ole Recommenda tion # 14:      Ensure that all TSA servers at ORO are scanned annually.\n\n        TSA Concu rs: TSA servers will be scanned annually. The servers and T ransportation Security\n        Equipments have been assessed (via automated scans and manual configuration checks) for\n        vulnerab ilities and TSA is worki ng to resolve them .\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                     Page 40\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                                       3\n\n\n       Recommendation #15: Prepare the missing BIAs for the identified TSA systems operating at\n       ORO.\n\n       TSA Concurs : TSA currently has an enterprise-level 8 1A process to address systems that have\n       been identified as mission-critical. TSA\'s Ortice of Information Techno logy (O IT) is currently\n       starting a review of all accredited information technology systems for mission criticality and\n       current recovery strategy to update the IPOB\'s "Mission Critical Systems List" and prioritize the\n       development of BIAs and continuity plans for the identified systems.\n\n       Additionally. ORO has compensating controls to include a Risk Assessment (RA), Continuity of\n       Operations (COOP) Pl an, and Contingency Plan (CP ). The RA facilitates the risk of loss if any\n       offices at ORO become temporarily unavailable or experience a disruption of services such as\n       network outages and power outages. The COOP Plan contains detailed information fo r assuring\n       the safety of personnel and the continuity of mission essential functions in the event that normal\n       operat ions are severely disrupted. The Security Technology Integrated Program General Support\n       System (ST I? GSS) also has a C P and procedures established to recover the system following a\n       disruption. Supporting documents from the STlP GSS have already been provided.\n\n        Auachment: Draft Report: Technical Secllrity Evaillarion ofDHS Activities at Chicago O\'Hare\n        International Airport - Sensitive Security Information\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                                    Page 41\n\n\x0c\x0cAppendix D\nReport Distribution\n\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Deputy Secretary\n                        Chief of Staff\n                        Deputy Chief of Staff\n                        General Counsel\n                        Executive Secretariat\n                        Director, GAO/OIG Liaison Office\n                        Assistant Secretary for Office of Policy\n                        Assistant Secretary for Office of Public Affairs\n                        Assistant Secretary for Office of Legislative Affairs\n                        Under Secretary for Management\n                        DHS CISO\n                        DHS CISO Audit Liaison\n                        CBP CIO\n                        CBP Audit Liaison\n                        ICE CIO\n                        ICE Audit Liaison\n                        TSA CIO\n                        TSA Audit Liaison\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as\n                        appropriate\n\n\n\n\n        Technical Security Evaluation of DHS Activities at Chicago O\'Hare International Airport\n\n\n                                               Page 43\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'